b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n                PUBLIC\n\n               RELEASE\n\n\n\n              OFFICE OF THE CHIEF\n\n             INFORMATION OFFICER\n\nAdditional Focus Needed on Information\n\nTechnology Security Policy and Oversight\n\n           Inspection Report No. OSE-13573/March 2001\n\n\n\n\n                           Office of Systems Evaluation\n\n\x0cU.S. Department of Commerce                                                                 Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                                        March 2001\n\n\n\n                                                 TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n\n\nINTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\n\nBACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n\n\nFINDINGS AND RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6\n\n\nI.\t       The Department\xe2\x80\x99s IT Security Policy Needs to Be Revised and Expanded . . . . . . . . . . . 6\n\n          A.\t   Security plan criteria should be updated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n\n          B.\t   The requirements for certification should be revised . . . . . . . . . . . . . . . . . . . . . . . 8\n\n          C.\t   Self-verification reviews should be encouraged . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n\n          D.\t   IT security incidents should be reported to the OIG . . . . . . . . . . . . . . . . . . . . . . 9\n\n          E.\t   Risk assessment policy should be reconsidered . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n\n          F.\t   Contingency and disaster recovery back-up planning should be reemphasized . 11\n\n          G.\t   Mandatory pre-access training should be highlighted . . . . . . . . . . . . . . . . . . . . . 11\n\n          H.\t   Designated Approving Authority for nonclassified systems\n\n                should be a management official . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n\n          I.\t   Related federal requirements should be added . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n\n          J.\t   Issue-specific policy concerning Internet usage, e-mail,\n\n                web security, and communications should be added . . . . . . . . . . . . . . . . . . . . . . 14\n\n          K.\t   Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15\n\n          L.\t   CIO response and OIG comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16\n\n\nII.\t      CIO Has Taken Steps to Improve IT Security, But Additional Efforts Are Needed . . . . 17\n\n          A.\t   Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22\n\n          B.\t   CIO response and OIG comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23\n\n\n\nAPPENDIXES\n     A. \t Glossary of IT Security Terms\n     B.\t  CIO Response to the Draft Report\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                            March 2001\n\n\n\n                                         EXECUTIVE SUMMARY\n\nIT security is a growing concern in government as vulnerabilities, threats, and attacks grow with\nthe dramatic increase in the number of government networks and use of the Internet. In 1997 the\nGeneral Accounting Office identified IT security as \xe2\x80\x9ca new high-risk area that touches virtually\nevery major aspect of government operations.\xe2\x80\x9d Although there is no single action agencies can\ntake to make their networks completely secure, there are steps that can be taken to mitigate risk,\nwhich include developing and overseeing an effective security program based on sound policy.\n\nCommerce Department Organization Order 15-23, July 2000, tasks the Chief Information Officer\n(CIO) to develop and implement a Departmental Information Technology (IT) security program\nto ensure the confidentiality, integrity, and availability of information and IT resources. The\nCIO\xe2\x80\x99s responsibilities include developing policies, procedures, and directives for IT security and\nproviding oversight of the Department\xe2\x80\x99s operating units.1 The IT security program is the\nresponsibility of the IT Security Program Manager under the Direction of the CIO\xe2\x80\x99s Office of\nInformation Policy, Planning and Review.\n\nThe objective of this inspection was to assess the effectiveness of the CIO\xe2\x80\x99s policy and oversight\nof the Department\xe2\x80\x99s IT security program, generally excluding classified systems, which are the\nprimary responsibility of the Office of Security. We satisfied this objective by evaluating the\nCIO\xe2\x80\x99s compliance with laws and regulations governing IT security. We compared the\nDepartment\xe2\x80\x99s Information Technology Management Handbook, Chapter 10, \xe2\x80\x9cInformation\nTechnology Security,\xe2\x80\x9d and attachment, \xe2\x80\x9cInformation Technology Security Manual\xe2\x80\x9d with the\ncriteria in the laws and regulations to evaluate the CIO\xe2\x80\x99s policy. We evaluated oversight by\nreviewing actions in the last three years related to CIO oversight of the Department\xe2\x80\x99s IT security\nprogram.\n\nOver the past several years the CIO has increased its focus on IT security and devoted additional\nresources to this area. In 1999 the CIO assessed IT security planning Department-wide and in\n2000 oversaw operating unit self-assessments. As a result of these reviews, operating unit\ncompliance with security requirements has increased. However, because IT security did not\nreceive enough attention in the past, policy and oversight need further improvements. Moreover,\neven though the CIO is taking steps to improve IT security, it is unclear whether the additional\nresources will be sufficient to adequately address this complex and growing challenge.\n\n\n\n\n         1\n          Refers to bureaus, administrations, agencies, and sub-offices within the Office of the Secretary, including\nthe Office of Inspector General.\n\n                                                          i\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\nThe Department\xe2\x80\x99s IT Security Policy Needs to be Revised and Expanded\n\nThe CIO\xe2\x80\x99s policy is out of date because it was developed in 1993 and 1995, prior to a significant\nrevision of Office of Management and Budget Circular A-130, Management of Federal\nInformation Resources, appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d It\nis missing important components because it has not kept pace with recent trends in technology\nusage and related security threats. It is important that the Department\xe2\x80\x99s policy is current and\ncomplete since it is used by the operating units as the foundation of their general policy and to\nwrite system-specific policy.\n\nThe major areas that need to be revised involve IT security planning, certification of system\ncontrols, periodic reviews of individual systems, security incident reporting, risk assessment,\ncontingency and disaster recovery planning, security awareness and training, authorization of\nsystems to process sensitive information, and referencing of related federal IT requirements. In\naddition, issue-specific policy regarding Internet usage, e-mail, Web security, and\ncommunications needs to be added. These areas are discussed on pages 6 through 15. The\noutdated and incomplete policy may place additional workload on operating units and increase\nsecurity risk to the Department\xe2\x80\x99s information. We recommend that the CIO revise the outdated\nprogram policy and incomplete issue-specific policy for the Department\xe2\x80\x99s IT security program as\nsoon as possible (see page 15).\n\nAdditional IT Security Compliance Procedures Need to Be Implemented\n\nAlthough the CIO has considerably improved IT security compliance recently, for several years\nDepartmental oversight was minimal. As a result, IT security for many of the Department\xe2\x80\x99s\nsystems has not been adequately planned, and IT security reviews have not been performed. In\naddition, several operating units do not have adequate awareness/training programs or adequate\ncapabilities for responding to IT security incidents. A more complete discussion of IT security\ncompliance is on pages 17 through 22.\n\nThe Government Information Security Reform Act requires the CIO to conduct annual reviews of\nIT security in 2001 and 2002 similar to the 2000 self-assessments it oversaw. In addition, we\nrecommend that the CIO commit to a program of operating unit reviews as soon as possible that\nextends beyond the act\xe2\x80\x99s two-year review requirement. The reviews should determine whether\nall operating unit policy is in compliance with federal criteria, IT security awareness and training\nprograms have been developed, and formal incident response capabilities have been\nimplemented.\n\nTo ensure that IT security is planned and funded in future IT acquisitions, the CIO should work\nwith the Department\xe2\x80\x99s Acquisition and Budget managers to ensure that IT-related procurement\nspecifications include security requirements and that the requirements are included in operating\n\n                                                 ii\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                March 2001\n\n\n\nunit budgets. The CIO should also ensure that deficiencies in IT security are reported as material\nweaknesses as required by OMB Circular A-123, Management Accountability and Control, and\nthe Federal Manager\xe2\x80\x99s Financial Integrity Act.\n\nIn spite of limited resources, the program should also include sampling of operating unit IT\nsecurity documents to ensure that IT security planning for the Department\xe2\x80\x99s most critical systems\nis complete, systems are properly approved for processing information, the security controls in\neach system are reviewed periodically, and a mechanism exists for ensuring that only legal copies\nof software are being used (see page 22).\n\n                                      -------------------------\n\nIn the March 30, 2001, response to our draft report, the CIO agreed with all of our\nrecommendations to improve IT security. Specifically, the CIO agreed to revise and expand the\nDepartment\xe2\x80\x99s IT security policy and plans to update the policy in the immediate future. The CIO\nalso agreed to continue the IT security compliance review program beyond the FY 2002 duration\nof the Government Information Security Reform Act, to begin security reviews as soon as\npossible, and to make specific security improvements at the operating unit level. We recognize\nthat during the past two years the CIO has significantly improved the Department\xe2\x80\x99s IT security\nprogram, but the program still lacks adequate staff to perform the critical IT security function.\n\nThe CIO agreed with our recommendation to report security deficiencies as material weaknesses\nwhen there is no assignment of security responsibility, no security plan, or no accreditation, but\nexpressed concerns about the ability to implement this recommendation. We believe, however,\nthat the CIO, along with the operating units, should identify the most critical departmental\nsystems, define a reporting strategy, and specify interim milestones.\n\nEven though the CIO is committed to performing IT security compliance reviews beyond the\nduration of Government Information Security Reform Act, the lack of adequate staffing will\naffect the breadth and depth of these reviews. In particular, the lack of adequate staffing will\nprevent the CIO from performing hands-on compliance reviews of operating units to fulfill OMB\nreporting requirements for FY 2001. Thus, as the CIO\xe2\x80\x99s response notes, reliance will be placed\non the results of IT security self-assessments performed by the operating units using the Federal\nCIO Council\xe2\x80\x99s Security Assessment Framework.\n\nThe CIO\xe2\x80\x99s full response is included as Appendix B to this report.\n\n\n\n\n                                                  iii\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                            March 2001\n\n\n\n                                               INTRODUCTION\n\nThis report presents the results of our systems evaluation of the Department of Commerce\ninformation technology (IT) security program functions assigned to the Chief Information Officer\n(CIO). IT security issues regarding functions assigned to the Office of Security, primarily for the\nDepartment\xe2\x80\x99s classified information2 systems, will be addressed in a subsequent, separate report.\n\nSystems evaluations are reviews of system development, acquisitions, operations, and policy in\norder to improve efficiency and effectiveness. They focus on Department-wide computer\nsystems and other technologies and address all project phases, including business process\nreegineering, and system definition, development, deployment, operations, and maintenance.\n\nThe evaluation was conducted in accordance with the Quality Standards for Inspections issued\nby the President\xe2\x80\x99s Council on Integrity and Efficiency, and was performed under the authority of\nthe Inspector General Act of 1978, as amended, and Department Organization Order 10-13, dated\nMay 22, 1980, as amended.\n\n                                                BACKGROUND\n\nAccording to Department Organization Order 15-23, July 3, 2000, the CIO has Department-wide\napproval and risk management responsibility for automated information systems, including\nimplementation of policies, plans, and rules, and in collaboration with the Deputy Assistant\nSecretary for Security, the security of information systems throughout their life cycle. The order\ntasks the CIO to develop and implement a departmental IT security program to ensure the\nconfidentiality, integrity, and availability of information and IT resources, including developing\npolicies, procedures, and directives for IT security. The order also assigns the CIO explicit\noversight responsibility for operating units and the Office of the Secretary.3\n\n\n\n\n         2\n           Information which requires protection against unauthorized disclosure and is marked to indicate its\nclassified status pursuant to Executive Order 12958, Classified National Security Information, April 1995.\nClassified information is generally afforded more stringent security.\n         3\n          For ease of reference, the words \xe2\x80\x9coperating unit(s)\xe2\x80\x9d in this report will include operating segments of the\nDepartment of Commerce including bureaus, administrations, agencies, and sub-offices within the Office of the\nSecretary, including the Office of Inspector General.\n\n                                                          1\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                            March 2001\n\n\n\nThe CIO developed program-level policy4 that established the Department\xe2\x80\x99s IT security program,\nincluding some issue-specific policy focusing on topical areas of importance, such as malicious\nsoftware (viruses). The Department\xe2\x80\x99s program-level and issue-specific policy is used to\nformulate operating unit policy, including system-specific policy. The CIO\xe2\x80\x99s IT security program\nis the responsibility of the IT Security Manager and a staff of three under the direction of the\nOffice of Information Policy, Planning and Review. The IT Security Manager is responsible for\ndeveloping IT security policy and overseeing operating unit IT security programs.\n\nIT security is a growing concern in government as vulnerabilities and attacks grow with the\ndramatic increase in the number of government networks and use of the Internet. To guard\nagainst outside attackers is not enough. While most people are aware of external threats from\nhackers5 and computer viruses, a significant number of attacks on computer systems come from\nthose who have legitimate access to the networks. It is impossible to gauge the true number of\nattempted or actual intrusions into federal networks because there is no central repository for\nsuch information, but there are indications that the problem is getting worse. Risks to\ngovernment information have prompted federal agencies to spend billions of dollars on IT\nsecurity.\n\nAlthough there is no single action agencies can take to make their networks completely secure,\nthere are steps that can be taken to mitigate risk. There are many architecture-based\nimprovements, such as firewalls,6 that agencies can add to their systems to improve security.\nThere are also augmentations to an agency\xe2\x80\x99s IT security efforts, such as establishing an incident\nresponse capability7 that provides a mechanism for identifying and resolving IT security\nproblems. However, the foundation of effective security programs is the establishment and\nenforcement of sound IT security policy. Some of the most effective and least costly controls to\nprotect sensitive information, such as properly identifying and authenticating users and limiting\n\n\n\n         4\n          Policy used to create an organization\xe2\x80\x99s computer security program. Program-level policy is supported by\nissue-specific policy that addresses specific issues of concern, and system-specific policy that focuses on decisions\ntaken by management to protect a particular system. System-specific policy is often implemented through the use of\naccess controls.\n         5\n          Over time, this term has been widely accepted as describing someone who breaks into computer systems.\n         6\n           A device that protects a private network from the public part. Usually, a computer is set up to monitor\ntraffic between an Internet site and the Internet. It is designed to increase security by keeping unauthorized\noutsiders from tampering with a computer system.\n         7\n          A skilled and rapid response capability to computer viruses, malicious user activity, and vulnerabilities\nbefore they can cause significant damage. The phrase \xe2\x80\x9cincident response\xe2\x80\x9d is used in this report to refer to this\ncapability.\n\n                                                          2\n\x0cU.S. Department of Commerce                                                       Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                              March 2001\n\n\n\naccess to sensitive information, are fundamentals of effective policy and oversight of IT security\npractices.\n\nIn 1997 the General Accounting Office (GAO) identified IT security as \xe2\x80\x9ca new high-risk area that\ntouches virtually every major aspect of government operations.\xe2\x80\x9d GAO identified several\nunderlying factors and concluded that some are not technological factors, but \xe2\x80\x9cpeople\xe2\x80\x9d factors,\nsuch as \xe2\x80\x9cinsufficient awareness and understanding of information security risks among senior\nagency officials,\xe2\x80\x9d \xe2\x80\x9cpoorly designed and implemented security programs,\xe2\x80\x9d \xe2\x80\x9climited oversight of\nagency practices,\xe2\x80\x9d and \xe2\x80\x9ca shortage of personnel with the technical expertise needed to manage\ncontrols.\xe2\x80\x9d Some of these issues are magnified by rapidly changing technology, employee\nturnover, and inadequate training. Fiscal constraints can also be a limiting factor.\n\nThe Computer Security Act of 1987, Public Law 100-235, recognized that improving the security\nof sensitive information8 in federal computer systems is in the public interest and required the\nDepartment\xe2\x80\x99s National Institute of Standards and Technology (NIST) to develop standards and\nguidelines to ensure cost-effective security. The act also required agencies to establish security\nplans and required mandatory periodic IT security training. The requirements for IT security are\nreiterated and expanded in the Government Information Security Reform Act, October 2000.\nThe act recognizes the highly networked nature of federal systems and the need for improved\nsecurity management measures and effective government-wide oversight. The act specifically\nrequires CIO and Office of Inspector General (OIG) oversight. The Office of management and\nBudget (OMB) subsequently issued Memorandum 01-08, Guidance on Implementing the\nGovernment Information Security Reform Act, January 2001. OMB requires CIO and OIG\ncoordination of the oversight efforts.\n\nOMB issued a revised Circular No. A-130, Management of Federal Information Resources,\nFebruary 1996, which replaced a 1985 version. The circular\xe2\x80\x99s appendix III, \xe2\x80\x9cSecurity of Federal\nAutomated Information Resources,\xe2\x80\x9d establishes a minimum set of controls and incorporates\nrequirements of the Computer Security Act. The circular also assigns responsibility to NIST for\nupdating existing guidance and developing new guidance, providing federal agencies with\nassistance concerning effective controls for systems, assessing security vulnerabilities in new\ninformation technologies and informing agencies about the vulnerabilities, and coordinating\nagency incident response activities. As a result, NIST issued several special publications to\nsupplement the act and Circular A-130.\n\nOMB Circular A-130, Appendix III, is more detailed than the two acts and has two main focuses:\ngeneral support systems and major applications. General support refers to interconnected\n\n\n         8\n          Information, the loss, misuse, or unauthorized access to or modification of which could adversely affect\nthe national interest or the conduct of federal programs, but that has not been specifically designated as classified.\n\n                                                           3\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\nsystems that share common functionality. Local area networks and data processing centers that\nsupport multiple users are general support systems. OMB assumes that all general support\nsystems contain some sensitive information. The circular focuses extra security controls on a\nlimited number of particularly high-risk major applications. An application involves the use of\ninformation resources (information and information technology) to satisfy a specific set of user\nrequirements. An application could be a payroll system that is supported by a network (general\nsupport system) to allow remote entry. A major application is one that requires special attention\nto security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized\naccess to or modification of the information in it.\n\n                      OBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objective of this evaluation was to assess the effectiveness of the CIO\xe2\x80\x99s policy and oversight\nof the Department\xe2\x80\x99s IT security program, generally excluding classified systems. We satisfied\nthis objective by evaluating the CIO\xe2\x80\x99s compliance with laws and regulations governing IT\nsecurity, including (1) The Computer Security Act of 1987, (2) OMB Circular A-130, Appendix\nIII, \xe2\x80\x9cSecurity of Federal Automated Information Systems,\xe2\x80\x9d (3) the Government Information\nSecurity Reform Act, October 2000, and (4) Department Organization Order 15-23, \xe2\x80\x9cChief\nInformation Officer.\xe2\x80\x9d Detailed criteria were obtained from the following NIST Special\nPublications written in response to items 1 and 2:\n\n\xe2\x80\xa2\t     800-04, Computer Security Considerations in Federal Procurements: A Guide for\n       Procurement Initiators, Contracting Officers, and Computer Security Officials,\n       March 1992.\n\xe2\x80\xa2\t     800-12, An Introduction to Computer Security: The NIST Handbook, October 1995.\n\xe2\x80\xa2\t     800-14, Generally Accepted Principles and Practices for Securing Information\n       Technology Systems, September 1996.\n\xe2\x80\xa2\t     800-16, Information Technology Security Training Requirements: A Role- and\n       Performance-Based Model, April 1998.\n\xe2\x80\xa2\t     800-18, Guide for Developing Security Plans for Information Technology Systems,\n       December 1998.\n\nWe compared the Department\xe2\x80\x99s Information Technology Management Handbook, Chapter 10,\n\xe2\x80\x9cInformation Technology Security,\xe2\x80\x9d and attachment, \xe2\x80\x9cInformation Technology Security Manual,\xe2\x80\x9d\nagainst the criteria to evaluate the CIO\xe2\x80\x99s policy. The IT Security Program Manager recognizes\nthe need to update all of the CIO\xe2\x80\x99s IT security policy and has drafted one revised section. A\ncompletion date for revising the bulk of the policy has not been established. We analyzed the\nDepartment\xe2\x80\x99s policy early in our review and summarized the results in the nine-page document,\nPreliminary Analysis of Commerce CIO IT Security Policy, October 10, 2000.\n\n\n\n                                                4\n\n\x0cU.S. Department of Commerce                                               Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                      March 2001\n\n\n\nWe evaluated oversight by reviewing all documents and actions in the last three years related to\nCIO oversight or management of the Department\xe2\x80\x99s IT security program. The review included the\nCIO\xe2\x80\x99s oversight of assessments of operating unit IT security programs based on a recent CIO\nCouncil methodology9, documentation of meetings between the Office of the CIO and operating\nunits about IT security issues, CIO briefings, a draft FY2000/2001 IT Security Management Plan,\nand minutes of Department of Commerce IT Security Coordinating Committee meetings. We\ninterviewed the Director of the Office of Information Policy, Planning and Review and the IT\nSecurity Manager, and participated in a demonstration of an IT Security Systems Database under\nCIO development.\n\nWe held an informal entrance conference with the Director, Office of Information Policy,\nPlanning and Review, and the IT Security Manager on August 23, 2000. Our formal entrance\nconference was held November 14, 2000. Our field work was conducted from August to\nDecember 2000. This evaluation and a concurrent evaluation of the Office of Security\xe2\x80\x99s policy\nand management of classified systems are precursors to systems-level reviews we plan to conduct\nat the Department\xe2\x80\x99s operating units.\n\n\n\n\n        9\n        The methodology used by the Department was contained in the CIO Council\xe2\x80\x99s draft Federal Information\nTechnology Security Assessment Framework. The document was finalized November 28, 2000.\n\n                                                     5\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\n                          FINDINGS AND RECOMMENDATIONS\n\nThe Department\xe2\x80\x99s policy and oversight of IT security for sensitive systems needs to be improved.\nThe policy was written before a significant revision to OMB Circular A-130, Management of\nFederal Information Resources, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information\nSystems,\xe2\x80\x9d in 1996. The policy does not comply with the OMB guidance in several areas, and\nimportant issue-specific topics are omitted.\n\nIn addition to revising and expanding policy, the CIO should implement a compliance review\nprogram to ensure the confidentiality, integrity, and availability of the Department\xe2\x80\x99s sensitive\ninformation. Several factors contributed to the CIO exercising minimal oversight of IT security\nfor several years prior to 1999. A CIO-directed preliminary assessment of operating unit IT\nsecurity programs in March 2000 determined that substantial improvement was needed. The CIO\nincreased its focus on IT security beginning in 1999 and has made considerable progress in\nimproving compliance. However, continued improvement and additional oversight are needed.\n\nI.     The Department\xe2\x80\x99s IT Security Policy Needs to Be Revised and Expanded\n\nDepartment Organization Order (DOO) 10-5, \xe2\x80\x9cChief Financial Officer and Assistant Secretary\nfor Administration,\xe2\x80\x9d January 14, 1999, Section 2.04, assigns to the Department\xe2\x80\x99s CIO\nresponsibility for Department-wide approval and risk management responsibility for automated\ninformation systems, including development, coordination, and implementation of policies,\nplans, and rules, and in collaboration with the Deputy Assistant Secretary for Security, the\nsecurity of information systems throughout their life cycle. DOO 15-23, \xe2\x80\x9cChief Information\nOfficer,\xe2\x80\x9d July 3, 2000, Section 4.a, further defines the CIO\xe2\x80\x99s responsibility to develop,\ncoordinate, and implement policies and programs for the effective management of the\nDepartment\xe2\x80\x99s IT resources.\n\nThe policy contained in the Department\xe2\x80\x99s IT Management Handbook, Chapter 10, \xe2\x80\x9cIT Security,\xe2\x80\x9d\nand accompanying IT Security Manual, is out of date and missing important elements. The\npolicy is out of date because it was developed in 1993 and 1995, prior to a significant revision of\nOMB Circular A-130. It is missing important components because it has not kept pace with\nrecent trends in technology usage and related security threats. It is important that the\nDepartment\xe2\x80\x99s policy is current and complete because it is used by the operating units as the\nfoundation of their general policy and to write system-specific policy.\n\nOMB Circular A-130 was revised in February 1996. Most of the Department\xe2\x80\x99s policy was\nwritten in September 1993, and the main body of policy has not been updated since the circular\xe2\x80\x99s\nrevision. Section 10.20, \xe2\x80\x9cElectronic Commerce,\xe2\x80\x9d was issued July 1995. Policy sections on local\narea network security and copyrighted software were also added in 1995. An e-mail was issued\n\n\n                                                 6\n\n\x0cU.S. Department of Commerce                                                      Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                             March 2001\n\n\n\nby the Department\xe2\x80\x99s Chief Financial Officer in August 1998 concerning Internet Use Policy, but\nthis policy has not formally been incorporated into the IT management directives system.\n\nThe major areas of the Department\xe2\x80\x99s policy needing revision address the content of IT security\nplans,10 the systems certification process, performing verification reviews11 of individual systems,\nreporting security incidents, the form of risk assessments, contingency and disaster recovery\nplanning, security awareness and training, Designated Approving Authority,12 and referencing\nrelated federal IT requirements. Issue-specific policy that needs to be added to the Department\xe2\x80\x99s\nguidance includes Internet usage, e-mail, web security, and communications. These areas are\ndiscussed in sections A through J.\n\nA.       Security plan criteria should be updated\n\nThe security plan criteria referred to in subsection 10.2 of the Department\xe2\x80\x99s IT Management\nHandbook, Chapter 10, \xe2\x80\x9cIT Security,\xe2\x80\x9d is outdated. It is based on OMB Bulletin No. 90-08,\nwhich was superseded by the revised OMB Circular A-130 and no longer reflects current policy.\nThe revised circular outlines new format and content requirements, including the addition of two\nimportant areas: rules of behavior13 and technical controls.14\n\nThe revised circular also assigns NIST responsibility for providing agencies with guidance on\nsecurity planning. To fulfill this responsibility, NIST issued Special Publication 800-18, Guide\nfor Developing Security Plans for Information Technology Systems, December 1998. The\n\n\n         10\n          A plan that provides an overview of a system\xe2\x80\x99s security requirements and describes the controls in place\nor planned for meeting those requirements.\n         11\n          System-level reviews to ensure that appropriate protection is being provided based on a system\xe2\x80\x99s unique\nrequirements. An overview of the requirements should be documented in the system\xe2\x80\x99s IT security plan.\n         12\n           OMB Circular A-130 requires that general support systems and major applications be authorized for\nprocessing before use or when established systems undergo significant changes. The Department defines this\nperson as a Designated Approving Authority.\n         13\n           Requirements for use of, security in, and the acceptable level of risk for a system. They delineate\nresponsibilities for those with access to the system and specify limits on interconnections to other systems, service\nprovisions, and restoration priorities. They also specify consequences of behavior not consistent with security\npolicy.\n         14\n           Features that are part of, or can be used by, systems to improve security. They include procedures for\nidentifying and authenticating system users, restricting access to specified information, establishing audit trails and\nlogs, and using cryptography (the process of mathematically scrambling understandable information, rendering it\nunintelligible, and subsequently restoring it to an intelligible form).\n\n                                                           7\n\x0cU.S. Department of Commerce                                                    Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                           March 2001\n\n\n\npublication includes more detailed guidance on systems analysis; plan development;\nmanagement,15 operational,16 and technical controls for major applications and general support\nsystems; and a format for writing rules of behavior. Although the CIO issued a memorandum in\n1999 alerting operating units to the current guidance, the updated policy should be included in a\nrevision to the IT Management Handbook.\n\nB.       The requirements for certification should be revised\n\nCertification is an in-depth testing of technical controls. Certification in the past has been a\nrequirement for a system accreditation,17 or authorizing a system for processing. Subsection 10.3\nin Chapter 10 assumes that in-depth certification testing of technical controls is necessary to\nsupport accreditation. However, according to NIST SP 800-12, An Introduction to Computer\nSecurity: The NIST Handbook, October 1995, Chapter 9, \xe2\x80\x9cAssurance,\xe2\x80\x9d it is now recognized that\nother analyses, such as risk analysis or audit, can provide sufficient assurance for accreditation\nand should be considered for lower-risk systems.\n\nOMB Circular A-130 recognizes that management authorization should be based on an\nassessment of management, operational, and technical controls. Since the security plan\nestablishes the security controls, it should form the basis for the authorization, supplemented by\nmore specific analyses as needed. The circular further states that systems should be re-accredited\nat least every three years. Performing certifications on the hundreds of Commerce systems\nrequires considerable time and resources and as a result, certifications are not always performed.\nIf alternative procedures were used for accrediting lower-risk systems, such as using information\nsecurity assessments scheduled to be performed on the Department\xe2\x80\x99s critical infrastructure\nsystems,18 more systems would be certified, while realizing significant savings.\n\n\n         15\n           Policy, program and system-level management, risk management, and assurance (including accreditation\n[see the footnote 17 for a definition of accreditation]).\n         16\n          Personnel/user controls; preparation for contingencies and disasters; handling security incidents;\nawareness, training, and education; systems support; and physical and environmental security.\n         17\n           According to OMB Circular A-130, accreditation is the authorization of a system to process information\ngranted by a management official. By authorizing a system to process information, a manager accepts the risk\nassociated with it.\n         18\n            Systems essential to the minimum operations of the government. Many critical infrastructure systems\nare subject to accreditation. The CIO in September 2000 arranged for the training of 36 staff representing a variety\nof operating units in the methodology for conducting information security assessments, and is encouraging\noperating units to perform self-assessments. The CIO also indicated that funds have been requested by some\noperating units to contract for assessments.\n\n                                                         8\n\x0cU.S. Department of Commerce                                                  Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                         March 2001\n\n\n\nC.      Self-verification reviews should be encouraged\n\nVerification reviews are performed on individual systems based on their unique security\nrequirements to ensure that appropriate levels of protection are being provided. According to\nsubsection 10.5 of the Department\xe2\x80\x99s Handbook, these reviews must be performed independent of\nthe system owner. The Department\xe2\x80\x99s policy does not distinguish between verification reviews\nfor general support systems and major applications. Circular A-130, however, encourages self-\nverification reviews for lower risk systems.\n\nFor general support systems, reviews should ensure that management, operational, and technical\ncontrols are functioning effectively. Security controls may be reviewed by an independent audit\nor a self-review. The type and rigor of review should be commensurate with the acceptable level\nof risk that is established in the rules of behavior for the system and the likelihood of learning\nuseful information to improve security during a review. For example, a general support system\nused in conjunction with a major application would typically be subject to a more rigorous\nreview than a local area network supporting office automation. Circular A-130 recommends\nindependent reviews for major applications because of their higher risk.\n\nTechnical tools, such as virus scanners, vulnerability assessment products, and penetration\ntesting, can assist in the ongoing review of different facets of systems. However, these tools are\nno substitute for a formal management review at least every three years. For some high-risk\nsystems with rapidly changing technology, more frequent reviews may be necessary. Self-\nreviews would reduce the need for the Department to assemble and oversee independent review\nteams and could result in increased coverage and significant resource savings.\n\nD.      IT security incidents should be reported to the OIG\n\nThe Department\xe2\x80\x99s current policy specifies that IT security incidents19 should be reported to the\nIT Security Manager. The policy should also require operating units to notify the OIG because of\nthe responsibilities specified in the Inspector General Act, as amended, and Departmental\nAdministrative Order 207-10 for keeping abreast of significant issues in the Department.\n\nThe Department\xe2\x80\x99s policy on handling security incidents is contained in section 6.1, \xe2\x80\x9cMalicious\nSoftware,\xe2\x80\x9d of the IT Security Manual, and was reinforced in a July 8, 1999, memorandum from\nthe Department\xe2\x80\x99s CIO to the operating unit CIOs. The policy calls for operating units to notify\n\n        19\n          A compromise of integrity, such as when a virus infects a program or a serious system vulnerability is\ndiscovered; denial of service, such as when an attacker has disabled a system or a network worm has saturated\nnetwork bandwidth; misuse, such as when an intruder (or insider) makes unauthorized use of an account; damage,\nsuch as when a virus destroys data; and intrusions, such as when an intruder penetrates system security.\n\n                                                        9\n\x0cU.S. Department of Commerce                                                Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                       March 2001\n\n\n\nthe IT Security Manager within 24 hours and submit a structured written report as soon as\npossible after the occurrence of an incident. Through informal means, the OIG has been notified\nof some incidents, but reporting has been inconsistent.\n\nUnless the requirement to notify the OIG of security incidents is specifically identified in the\nDepartment\xe2\x80\x99s policy, agencies may not know about the requirement. The Inspector General Act\nof 1978, as amended, requires the Inspector General to keep the Secretary and the Congress fully\nand currently informed about problems and deficiencies relating to the administration of\nDepartment of Commerce programs and operations and the necessity for and progress of\ncorrective action, and to report potential federal crimes to the Attorney General. In some cases,\noperating units notify the Attorney General directly, cutting the OIG out of the information loop.\nAccording to Department Administrative Order 207-10, operating units must promptly report to\nthe OIG the possible existence of violations of laws, rules, or regulations.\n\nWhile reviewing the CIO\xe2\x80\x99s files of written incident reports from operating units, we observed\nthat the vast majority were for unsuccessful access attempts that were of no consequence to the\noperating unit. In other words, the reported events did not involve intrusion into the\nDepartment\xe2\x80\x99s systems, networks, or web sites and did not involve any manipulation, destruction,\nor loss of data or systems, or denial of service, but rather, were minor nuisances. Under these\ncircumstances, the Department may want to consider changing its reporting requirements to\ninclude only those incidents that the operating units believe could be significant, such as actual\nintrusions, the detection of viruses, denial of service attacks, defacing of web sites, or even\nrepeated access attempts by the same address. Statistics on failed attempts could be kept by\noperating units and reported centrally periodically. The revision of reporting requirements would\nease the burden of central reporting on the operating units and the Office of the CIO.\n\nE.      Risk assessment policy should be reconsidered\n\nThe Department\xe2\x80\x99s policy requires documented risk assessments20 to ensure that the balance of\nvulnerabilities, threats, and safeguards achieves a residual level of risk that is acceptable based\non the sensitivity or criticality of the individual system. The analyses may vary from informal\nbut documented reviews for smaller, lower risk systems, to fully quantified risk analyses for\nsystems that are larger and contain more risk. The revised circular, however, no longer requires\nthe preparation of formal risk analyses, not even for larger, more complex systems.\n\n\n\n        20\n           The process of analyzing and interpreting risk. The terms \xe2\x80\x9cvulnerability analysis\xe2\x80\x9d or \xe2\x80\x9cvulnerability\nassessment\xe2\x80\x9d are sometimes used synonymously with risk assessment. However, vulnerability analysis/assessment is\njust one component of risk assessment. When assessing risk to an asset, vulnerability must be considered along\nwith threats and safeguards.\n\n                                                      10\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\nOMB recognizes that \xe2\x80\x9cin the past, substantial resources have been expended doing complex\nanalyses of specific risks to systems, with limited tangible benefit in terms of improved security\nfor the systems.\xe2\x80\x9d OMB\xe2\x80\x99s risk-based approach to IT security now recognizes that \xe2\x80\x9csecurity efforts\nare better served by generally assessing risks and taking actions to manage them.\xe2\x80\x9d Additional\nguidance on performing assessments is contained in NIST\xe2\x80\x99s Special Publication 800-12, An\nIntroduction to Computer Security: The NIST Handbook, Chapter 7, \xe2\x80\x9cComputer Security Risk\nManagement,\xe2\x80\x9d October 1995.\n\nRelated to risk analysis, and required by Presidential Decision Directive 63 to provide security\nfor the nation\xe2\x80\x99s critical infrastructure, are vulnerability assessments. The Department\xe2\x80\x99s universe\nof critical infrastructure assets in many cases overlap the Department\xe2\x80\x99s classified and sensitive\ncomputer systems inventory. The analysis of vulnerabilities along with threats and safeguards is\nan integral part of analyzing the risk to assets. Because of the interrelationship of the two\nassessments and the similarity in the Department\xe2\x80\x99s universes of critical infrastructure assets and\nsensitive IT systems, the CIO intends to link the assessments. This linkage should be made in its\nIT security policy also. Combining the assessments could improve efficiency while also\nimproving operating unit compliance.\n\nF.     Contingency and disaster recovery back-up planning should be reemphasized\n\nChapter 10, Section 10.8, \xe2\x80\x9cContingency and Disaster Recovery Planning,\xe2\x80\x9d provides good policy\nconcerning backup and retention of data and software, emergency response actions, and\nresumption of normal operations. The policy also requires selection of a backup or alternate\noperations strategy. However, the policy does not state whether manual procedures are a viable\nbackup option.\n\nThe revised OMB circular states that manual processing is generally not a viable backup option\nfor general support systems and major applications. Manual operations may be acceptable for\noperations where volume is low and there is assurance that automated operations can be resumed\nin a relatively short time frame. However, the lack of specific policy on backup options may\ncreate a false sense of security for continuity of important departmental operations. Information\ntechnology has become more vital to the continuity of government operations as automation\ninvestments have increased. The lack of automated support for some of the Department\xe2\x80\x99s\nfunctions could cease or significantly impair operations. The OMB guidance on manual backup,\ntherefore, should be included in the Department\xe2\x80\x99s revised policy.\n\nG.      Mandatory pre-access training should be highlighted\n\nThe Department\xe2\x80\x99s current policy states that all new employees will receive an IT security\nawareness briefing as part of their orientation within 60 days of their appointment, and be\n\n                                                11\n\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                 March 2001\n\n\n\nprovided with refresher security awareness material or briefings at least annually. OMB Circular\nA-130, however, requires that employees be trained on how to fulfill their security\nresponsibilities before being allowed access to sensitive systems. Failure to make individuals\nwith access to systems aware of their security responsibilities increases security risk.\n\nFor general support systems, employees involved in the management, use, or operation of federal\ncomputer systems within or under the supervision of the federal agency, including contractors,\nneed training on how to fulfill their security responsibilities, including the rules of behavior,\nbefore access is permitted. Access provided to the public should be constrained by controls in\nthe application through which access is allowed, and training should be within the context of\nthose controls. Training should also inform users on how to get help in the event of difficulty\nwith using or securing the system. Training may vary from interactive computer sessions or\nwell-written and understandable brochures to formal classroom training depending on the amount\nof system risk.\n\nFor major applications, individuals with access should receive specialized training focused on\ntheir responsibilities and the application rules of behavior. The specialized training may be in\naddition to the training required for access to the system. According to the circular, \xe2\x80\x9cthis training\ncould vary from a notification at the time of access (e.g., for members of the public using an\ninformation retrieval application) to formal training (e.g., for an employee that works with a\nhigh-risk application).\xe2\x80\x9d\n\nH.\t    Designated Approving Authority for nonclassified systems\n       should be a management official\n\nThe Department\xe2\x80\x99s policy establishes the operating unit CIOs as the Designated Approving\nAuthority for accrediting all sensitive IT systems within the Department. The authority at the\noperating unit level can only be delegated to a senior management official if that official does not\nhave direct control over the IT system being accredited. This policy is contrary to OMB Circular\nA-130, B. \xe2\x80\x9cDescriptive Information,\xe2\x80\x9d a.4, which states that authorization is not a decision that\nshould be made by security staff, but rather normally by the person having general responsibility\nfor the organization supported by the system.\n\nThe circular states that general support systems should be accredited in writing by the\nmanagement official based on implementation of the system\xe2\x80\x99s security plan before beginning or\nsignificantly changing processing in the system. The circular further requires that the system be\nre-authorized at least every three years. Since the security plan establishes the security controls,\nit should form the basis of the accreditation. The circular specifically prohibits security staff\nfrom making the decision.\n\n\n                                                 12\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                              March 2001\n\n\n\nSimilarly, major applications should be accredited by the management official responsible for the\nfunction supported by the application. The intent of the requirement is to ensure that the senior\nofficial whose mission will be adversely affected by security weaknesses in the application\nperiodically assesses and accepts the risk of operating the application. Accreditations of major\napplications should take into consideration the risks from the general support systems used by the\napplication. NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook,\nOctober 1995, Chapter 9, \xe2\x80\x9cAssurance,\xe2\x80\x9d section 9.1, supports the circular by stating that\n\xe2\x80\x9caccreditation is a management official\xe2\x80\x99s formal acceptance of the adequacy of a system\xe2\x80\x99s\nsecurity.\xe2\x80\x9d\n\nThe OMB criteria encourage participation of IT security professionals and management officials\nin a collaborative effort. We believe that OMB has highlighted the importance of management\ninvolvement because, in the past, managers have not always taken an active role in understanding\nthe risks of and establishing controls over the sensitive information they are responsible for. To\nensure this involvement, the CIO should take an active role in ensuring that accreditations are\nproperly performed, but senior managers should decide the level of risk for the systems.\n\nI.     Related federal requirements should be added\n\nA broad spectrum of federal criteria must be understood to effectively manage IT resources.\nThere are several that are closely interrelated to IT security and should be included in the\nDepartment\xe2\x80\x99s policy. For example, there is no provision in the policy for reporting IT security\ndeficiencies as material weaknesses pursuant to OMB Circular A-123, Management\nAccountability and Control, and the Federal Manager\xe2\x80\x99s Financial Integrity Act (FMFIA). Failure\nto report significant IT security weaknesses could result in a lack of management attention to\nunacceptably high security risks. The policy also does not require that a summary of agency\nsecurity plans be included in the information resources management plan that is sent to OMB.\n\nCircular A-130 requires a review of security controls in each system when significant\nmodifications are made to the system, but at least every three years. The scope and frequency of\nthe review should be commensurate with the acceptable level of risk for the systems as\ndetermined during accreditation. Circular A-130 asks operating units to identify security\ndeficiencies pursuant to Circular A-123 and FMFIA if during the reviews it is determined that\nthere is no assignment of security responsibility, no security plan, or no accreditation. The\noperating unit\xe2\x80\x99s determination to report a material weakness should depend on the risk and\nmagnitude of harm that could result from the weakness.\n\nThe requirement that a summary of agency security plans be included in the information\nresources management plan is contained in the Computer Security Act of 1987. To ensure that\n\n\n                                               13\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                March 2001\n\n\n\nthe plan summaries could not be used to attack the Department\xe2\x80\x99s sensitive or classified systems,\nspecific vulnerabilities should not be revealed there.\n\nThere are several other federal policies that should be included and logically linked to IT\nsecurity, including OMB Memorandum 00-07, Incorporating and Funding Security in\nInformation Systems Investments, February 2000; the Clinger-Cohen Act,1996, which links\nsecurity to agency capital planning and budget processes; Presidential Decision Directive 63,\nProtecting America\xe2\x80\x99s Critical Infrastructures, 1998, which specifies agency responsibilities for\nprotecting the nation\xe2\x80\x99s infrastructure and assessing and eliminating vulnerabilities. The new\nGovernment Information Security Reform Act makes reference to additional criteria, including\nthe Chief Financial Officers Act of 1990, Government Performance and Results Act,1993, and\nthe Federal Financial Management Improvement Act, 1996.\n\nJ.\t    Issue-specific policy concerning Internet usage, e-mail,\n       web security, and communications should be added\n\nThe Department\xe2\x80\x99s policy does not include relevant issue-specific security guidance for topics\nsuch as Internet usage, e-mail, web security, and communications. The Department issued policy\nin April 1992 through Departmental Notice Series 92-3, \xe2\x80\x9cEstablishment of Departmental Policy\nfor E-Mail Privacy,\xe2\x80\x9d but the policy addresses security only to the extent of transferring\ninformation about an individual in electronic form.\n\nMore comprehensive guidance was issued in August 1998 in an e-mail from the Department\xe2\x80\x99s\nChief Financial Officer and Assistant Secretary for Administration concerning Internet use\npolicy. The Internet policy links precautions on the transfer of information using the Internet and\ne-mail to the security standards used to certify and accredit the Department\xe2\x80\x99s systems. This\npolicy should be incorporated into the Department\xe2\x80\x99s IT security policy and linked to\ncommunications, cryptography, and digital signatures as appropriate. Policy concerning web\nsecurity and communications security should be developed and linked in a similar manner.\n\nIssue-specific policy should address current relevant concerns to the organization. This policy\nshould be updated more frequently than general program policy as changes in technology and\nsecurity threats occur. The policy should contain an issue statement that explains the CIO\xe2\x80\x99s\nposition, applicability, roles and responsibilities, compliance, and points of contact. Operating\nunits should be given responsibility for translating the issue-specific policy into system-specific\npolicy based on particular system security objectives and rules of behavior specified in IT\nsecurity plans. For example, the system-specific policy should indicate which data or records\ncan and cannot be transferred via e-mail or the Internet and state whether security controls such\nas cryptography apply to the transfer of specified information.\n\n\n                                                 14\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                March 2001\n\n\n\nComplete and up-to-date issue-specific policy is important because, along with program-level\npolicy, it forms the basis for operating unit policy. Specific guidance on the formulation of issue-\nspecific policy is contained in NIST SP 800-12, An Introduction to Computer Security: The NIST\nHandbook, October 1995, Chapter 5, \xe2\x80\x9cComputer Security Policy, \xe2\x80\x9d and NIST SP 800-14,\nGenerally Accepted Principles and Practices for Securing Information Technology Systems,\nSeptember 1996, section 3.1, \xe2\x80\x9cPolicy.\xe2\x80\x9d\n\nK.\t    Recommendation\n\nWe recommend that the CIO revise the outdated program policy and incomplete issue-specific\npolicy for the Department\xe2\x80\x99s IT security program as soon as possible. The revised policy should\ninclude:\n\n1.\t    Current federal criteria for the format and content of IT security plans, as specified in\n       NIST SP 800-18, Guide for Developing Security Plans for Information Technology\n       Systems, December 1998.\n\n2.\t    A provision for alternatives to formal certifications for lower risk systems, such as risk\n       analyses or audits.\n\n3.\t    A provision for self-verification reviews for general support systems with lower risk.\n\n4.\t    A requirement to notify the OIG in the event of IT security incidents involving the\n       Department\xe2\x80\x99s systems, networks, or web sites or any other IT security matter that\n       involves the manipulation, destruction, or loss of data or systems, or denial of service\n       including repeated penetration attempts from the same Internet address.\n\n5.\t    A change in risk assessment emphasis from complex, documented assessments that focus\n       on specific risks to general risk assessments. Also, risk assessments should be linked in\n       policy and practice to vulnerability assessments required under Presidential Decision\n       Directive 63.\n\n6.\t    Guidance to operating units that manual operations are generally not a viable backup\n       option for the Department\xe2\x80\x99s systems.\n\n7.\t    A requirement that individuals be trained on how to fulfill their security responsibilities\n       before they are permitted access to sensitive systems.\n\n\n\n\n                                                15\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                March 2001\n\n\n\n8.\t    A change in the Designated Approving Authority for sensitive systems from the CIO to a\n       management official having responsibility for the function supported by the system.\n\n9.\t    A requirement for operating units to include IT security deficiencies as material\n       weaknesses pursuant to OMB Circular A-123 and FMFIA, and to include in their\n       information resources management plans summaries of agency IT security plans pursuant\n       to the Computer Security Act of 1987. Links should also be added to other federal IT\n       security-related criteria, such as OMB Memorandum 00-07, the Clinger-Cohen Act,\n       Presidential Decision Directive 63, the Government Performance and Results Act, the\n       Chief Financial Officer\xe2\x80\x99s Act, and the Federal Financial Management Improvement Act.\n\n10.\t   Issue-specific IT security policy on Internet usage, e-mail, web security, and\n       communications.\n\nL.\t    CIO response and OIG comments\n\nThe CIO agreed with our recommendation to revise and expand the Department\xe2\x80\x99s IT security\npolicy and plans to update the policy in the immediate future. However, while the CIO stated\nthat the office followed OMB\xe2\x80\x99s model of updating policy only at significant intervals by issuing\nmemorandums, we reaffirm our position that the major revision to OMB Circular A-130 in 1996\nconstituted the point where the Department\xe2\x80\x99s policy should have been updated. A current,\ncomprehensive, and cohesive IT security policy is the foundation for a sound IT security\nprogram. We recognize that the CIO has significantly improved the Department\xe2\x80\x99s IT security\nprogram over the past two years, but the program stills lacks adequate staff to perform its critical\nfunctions.\n\nThe CIO disagreed with or asked for further clarification of several statements used to support\nour recommendations. First, the CIO disagreed with an example we provided to accredit lower-\nrisk systems based on IT security assessments scheduled to be performed on the Department\xe2\x80\x99s\ncritical infrastructure systems. The CIO stated that the Administration had not provided adequate\npriority and funding to the critical infrastructure program. We agree that the lack of funding\nsignificantly affected critical infrastructure program activities. However, in September 2000, the\nCIO arranged for the training of 36 staff representing a variety of operating units in the\nmethodology for conducting IT security assessments and has encouraged operating units to\nperform self-assessments. We believe these assessments can contribute to fulfilling accreditation\nrequirements.\n\nSecond, although the recommendation to notify the OIG in the event of an IT security incident\ninvolving the Department\xe2\x80\x99s systems, networks, or web sites was accepted, the CIO requested that\n\n\n                                                 16\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\nthe OIG provide specific guidance as to when notification is required. We agree that specific\nguidance is needed, and we will work with the CIO to define the notification guidance.\n\nThird, the CIO asked for a clarification of our use of terms specific risks and general risks. Our\nsource for these terms is Appendix III of OMB\xe2\x80\x99s Circular A-130, and we referenced NIST\xe2\x80\x99s\nSpecial Publication 800-12, An Introduction to Computer Security: The NIST Handbook, Chapter\n7, \xe2\x80\x9cComputer Security Risk Management,\xe2\x80\x9d October 1995, as additional guidance for performing\nrisk assessments. The intent of OMB Circular A-130 was to change the method used to evaluate\nsecurity risks from a formal and infrequent assessment, called analyzing specific risks, to a more\nrobust assessment that continually assesses new threats, vulnerabilities to system software, and\nvulnerabilities to application software, called generally assessing risks.\n\nFourth, the CIO agreed with our recommendation to report security deficiencies as material\nweaknesses when there is no assignment of security responsibility, no security plan, or no\naccreditation, but expressed concerns about the ability to implement this recommendation. We\nbelieve, however, that the CIO, along with the operating units, should identify the most critical\ndepartmental systems, define a reporting strategy, and specify interim milestones.\n\nFinally, the CIO stated that operating units are already required to report on their strategies to\naddress IT security in their annual plans and does not understand the deficiency. The\nDepartment\xe2\x80\x99s IT security policy does not specify this reporting requirement and therefore should\nbe updated to formally establish the requirement.\n\nThe CIO\xe2\x80\x99s complete response is included as Appendix B.\n\nII.    CIO Has Taken Steps to Improve IT Security, But Additional Efforts Are Needed\n\nAs described in the previous section, the Department\xe2\x80\x99s IT security program is not fully in\ncompliance with OMB Circular A-130. Although the CIO has considerably improved IT security\ncompliance recently, for several years there was minimal oversight. As a result, for many\nsystems valid IT security plans are not in place, and accreditation and verification reviews have\nnot been performed. In addition, several operating units do not have adequate awareness/training\nprograms or incident response capabilities.\n\nWe commend the CIO for initiating several actions to bring the Department in compliance with\ncurrent federal IT security policy. In 1999 the CIO contracted for an evaluation of the\nDepartment\xe2\x80\x99s critical infrastructure protection plans and related IT systems security plans. The\nCIO also issued a June 1999 memorandum calling for operating units to prepare plans and\nschedules by July 1999 to address the elements of the IT security program outlined in the\n\n\n                                                17\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\nDepartment\xe2\x80\x99s IT Management Handbook, Chapter 10, \xe2\x80\x9cIT Security.\xe2\x80\x9d The memorandum called\nfor submitting new IT security plans for all systems identified by the contractor as having non\xc2\xad\nexistent or out-of-date plans and to bring all plans into compliance with NIST Special\nPublication 800-18, Guide for Developing Security Plans for Information Technology Systems,\nDecember 1998.\n\nIn addition, the CIO used a draft Federal Information Security Assessment Framework from the\nFederal Chief Information Officers Council to determine the status of operating unit IT security\nprograms by issuing a data call in March 2000. The data call asked operating units about systems\ninventories, the existence and compliance of IT security plans, risk assessments, contingency\nplans, accreditations, awareness and training programs, and incident response capabilities. The\nCIO then summarized the results and held meetings with the political head of each unit when\navailable, the ranking career executive, the operating unit CIO, and the operating unit IT Security\nOfficer. The purpose of the summary status and meetings was to give operating units advance\nnotice of the assessment criteria that will be adopted by the Department, and to provide the units\nwith an assessment of the strengths and weaknesses of their IT security programs.\n\nThe March data call revealed that the Department\xe2\x80\x99s IT security program needed attention. The\nresults showed that the systems inventory was not complete and that overall IT security program\ncompliance was minimal. In addition, IT security awareness/training programs and incident\nresponse capabilities were absent or informal. However, follow-up reviews conducted prior to\neach meeting showed significant improvement in operating unit compliance as a result of the\nCIO\xe2\x80\x99s initiative. The results of the March 2000 and follow-up status are summarized for the\nDepartment as a whole in Figure 1.\n\nWe believe the lack of oversight of IT security in the operating units largely contributed to the\nnon-compliance status observed in March 2000. The Department\xe2\x80\x99s IT Security Manager position\nwas vacant for a year prior to June 1997. Until March 2000, only one person handled the\nfunction, performing all policy, management, and administrative duties. In March, the position\nwas upgraded, and the function was expanded to four full-time equivalent personnel. However,\nthe group\xe2\x80\x99s most experienced staff member recently left for another position. Staffing and\ntraining are priorities for the CIO\xe2\x80\x99s IT security group. Funding for IT security has also been a\nproblem. There is no central budget for the CIO\xe2\x80\x99s IT security work except for salaries and\nlimited available funding must compete with other CIO activities\n\n\n\n\n                                                18\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                              March 2001\n\n\n\n   Figure 1. Department of Commerce Information Technology Security Program Status\n\n\n\n\nThere is an initiative that is intended to improve the authority of operating unit CIOs and better\nfocus IT security oversight and funding. The CIO is proposing a restructuring of the\nDepartment\xe2\x80\x99s information technology organization. The restructuring would, among other\nthings, allow the Department\xe2\x80\x99s CIO to establish and evaluate 50 percent of the performance plans\nfor operating unit CIOs and improve performance plans and accountability for all managers and\n\n\n                                               19\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\nemployees who perform IT work. The restructuring is also intended to increase the involvement\nof operating unit CIOs in budgeting for IT resources.\n\nThe Department\xe2\x80\x99s inventory of systems is complete, although a final number will not be\navailable until IT security plans covering multiple systems are tallied. An accurate inventory of\nthe Department\xe2\x80\x99s sensitive systems is important in identifying all systems that should be subject\nto IT security and covered by IT security plans. The presence and quality of IT security plans are\nan important indicator of the quality of an operating unit\xe2\x80\x99s IT security program. IT security plans\ncontain an overview of a system\xe2\x80\x99s security requirements, including rules that delineate\nresponsibilities and expected behavior of all individuals with access to the system, as well as\ntraining needs, personnel controls, incident response capability, contingency plans, technical\nsecurity controls, and system interconnection. Without current plans, there is no assurance that\nthe security of systems containing sensitive information has been fully considered. Risk\nassessments are important because they identify the threats and vulnerabilities to systems.\nContingency plans are needed to determine the viability of back-up procedures for continuing\noperations. The accreditation process ensures that risk is considered by management before a\nsystem is initially commissioned or after it is significantly modified.\n\nThe CIO had tentative plans to develop and manage a compliance review program but was not\nsure of the scope of the oversight and was concerned about whether sufficient resources and\nfunding were available. In October 2000, the Government Information Security Reform Act was\nsigned into law, making it mandatory for the CIO and the Office of Inspector General to conduct\nannual reviews of IT security in FY 2001 and 2002. OMB issued Memorandum 01-08,\nGuidance On Implementing the Government Information Security Reform Act, dated January 16,\n2001, which endorses the CIO\xe2\x80\x99s use of the CIO Council Framework as the basis for the annual\nprogram review. The framework helps agencies to determine the status of their security\nprograms and employs five levels as shown in Figure 2. The framework will employ a self-\nassessment questionnaire that will be completed by NIST in 2001. The framework begins with\nthe premise that all agency assets must meet the minimum security requirements of Circular A\xc2\xad\n130 and results in a compliance level rating for the operating unit.\n\nThe OIG responsibilities under the act according to OMB include an evaluation in FY 2001 and\n2002 of the Department\xe2\x80\x99s security program and practices. This includes testing the effectiveness\nof security controls for \xe2\x80\x9can appropriate subset of agency systems.\xe2\x80\x9d OIGs should use the results of\nsecurity-related evaluations performed by other experts, including the agency program reviews\nperformed under the CIO Framework methodology. The CIO and the OIG are encouraged to\nwork closely when developing their work plans to avoid unnecessary duplication and overlap.\nIn accordance with OMB guidance, the OIG will conduct reviews at selected operating units\nfocusing on system-level policy and procedures. These reviews will include testing technical\n\n\n                                                20\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                March 2001\n\n\n\n                     Figure 2. Federal IT Security Assessment Framework\n\n\n\n                                          Level 1\n                                      Documented Policy\n\n                                        Level 2\n                                  Documented Procedures\n\n                                        Level 3\n                          Implemented Procedures and Controls\n\n                                      Level 4\n                    Tested and Reviewed Procedures and Controls\n\n                                          Level 5\n                         Fully Integrated Procedures and Controls\n\n\ncontrols. DOO 15-23, \xe2\x80\x9cChief Information Officer,\xe2\x80\x9d July 3, 2000, Section 3.01.c, defines the\nCIO\xe2\x80\x99s responsibility for implementing OMB Circular A-130 and for developing and\nimplementing a Department of Commerce IT security program to ensure the confidentiality,\nintegrity, and availability of information and IT resources, including the review of IT security, in\ncoordination with the Deputy Assistant Secretary for Security. Section 4.a further defines the\nCIO\xe2\x80\x99s responsibility to develop, coordinate, and implement programs for the effective\nmanagement and evaluation of the Department\xe2\x80\x99s IT resources.\n\nThe Government Information Security Reform Act and DOO 15-23 require the CIO to exercise\nbroad program responsibility for IT security in the Department. In addition to overseeing the\nCIO Council Framework self-assessments, the CIO should commit to a program of operating unit\nreviews that extends beyond the two-year review requirement of the act. The reviews should\ndetermine that operating unit program-level and issue-specific policy is in compliance with\nfederal IT security policy and the Department\xe2\x80\x99s revised program-level policy, that each unit has\nIT security awareness and training programs, and that each unit implements a formal incident\nresponse capability.\n\nTo ensure that IT security is planned and funded in future IT acquisitions, the CIO should work\nwith the Department\xe2\x80\x99s Office of Acquisition Management and the Office of Budget to ensure that\n\n\n\n                                                 21\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\nIT-related procurement specifications for hardware, software or services include adequate\nsecurity requirements and specifications that are commensurate with the sensitivity of the system,\nand that security requirements are included in operating unit budgets. The CIO should also\nnotify operating unit heads and CIOs about the requirement to report deficiencies in IT security\nas material weaknesses pursuant to OMB Circular A-123 and FMFIA, as discussed on page13 of\nthis report.\n\nThe CIO\xe2\x80\x99s program should employ sampling techniques and include review of IT security plans\nfor the most critical Commerce systems to determine whether they comply with NIST Special\nPublication 800-18. Reviews should also include sampling of operating unit IT security\ndocuments to ensure that (1) the accreditation process is functioning properly and that\naccreditation status reports are accurate, (2) the security controls in each system are reviewed at\nleast every three years or when significant modifications are made to a system, and (3) operating\nunit systems are audited periodically for illegal software or that some other mechanism exists for\nensuring that only legal copies of software are being used. Our office will coordinate with the\nCIO to ensure that there is no duplication in the systems-level oversight.\n\nA.\t    Recommendation\n\nIn addition to the oversight of operating unit self-assessments using the CIO Council Framework,\nwe recommend that the CIO commit to an operating unit compliance review program that\nextends beyond the FY 2001 and 2002 requirement of the recent Government Information\nSecurity Reform Act. Reviews should begin as soon as possible and should ensure that operating\nunits:\n\n1.\t    Have program-level, issue-specific, and system-level policy in place that complies with\n       federal IT security policy and the Department\xe2\x80\x99s revised program-level policy.\n\n2.\t    Implement formal IT security awareness and training programs.\n\n3.\t    Develop incident response capabilities.\n\n4.\t    Report deficiencies in IT security as material weaknesses pursuant to OMB Circular A\xc2\xad\n       123 and FMFIA.\n\n5.\t    Include IT-related procurement specifications for hardware, software or services, to\n       ensure that they include adequate security requirements and/or specifications that are\n       commensurate with the sensitivity of the system, and that security requirements are\n       included in operating unit budgets. The CIO should work with the Department\xe2\x80\x99s Office\n       of Acquisition Management and the Office of Budget to ensure implementation.\n\n\n\n                                                 22\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                              March 2001\n\n\n\n\n\n6.\t    We also recommend that the review program include procedures to review on a sample\n       basis operating unit IT security documents to determine that:\n\n       a.\t     IT security plans are prepared for all sensitive systems and that they comply with\n               NIST SP 800-18.\n\n       b.\t     Systems are accredited and that a management official was involved in the\n               accreditation process.\n\n       c.\t     Verification reviews of individual systems are conducted at least every three years\n               or when significant modifications are made to systems and that the scope of the\n               reviews is appropriate based on system risk.\n\n       d.\t     Systems are audited periodically for illegal software or that some other\n               mechanism exists for ensuring that only legal copies of software are being used.\n\n\nB.\t    CIO response and OIG comments\n\nThe CIO agreed to continue the IT security compliance review program beyond the FY 2002\nduration of the Government Information Security Reform Act, to begin security reviews as soon\nas possible, and to make specific security improvements at the operating unit level. However,\nthe response notes that limited staff resources will prevent the CIO from performing hands-on\ncompliance review of operating units to fulfill OMB reporting requirements for FY 2001. To\nmeet the FY 2001 reporting requirements, operating units will perform a self-assessment of their\nIT security using the Federal CIO Council\xe2\x80\x99s Security Assessment Framework. Following the FY\n2001 review, the CIO will evaluate the results of the self-assessment approach to aid in the\nplanning of future security reviews.\n\nWe address the approach to reporting security deficiencies as a material weakness in our previous\ncomments on the CIO\xe2\x80\x99s response to our first finding.\n\nThe CIO\xe2\x80\x99s complete response is included as Appendix B.\n\n\n\n\n                                                23\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                                March 2001\n\n\n\n                                                                                     APPENDIX A\n                                                                                         3 Pages\n                                 Glossary of IT Security Terms\n\nAccreditation - According to OMB Circular A-130, accreditation is the authorization of a system\nto process information granted by a management official. By authorizing processing in a system,\na manager accepts the risk associated with it.\n\nClassified Information - Information that requires protection against unauthorized disclosure\nand is marked to indicate its classified status pursuant to Executive Order 12958. Classified\ninformation is generally afforded more security than sensitive information.\n\nCertification - An in-depth testing of technical controls. Certification is used to support\naccreditation.\n\nCritical Infrastructure - Systems essential to the minimum operations of the government. In\nmany cases, the Department\xe2\x80\x99s sensitive and classified information systems are also considered\ncritical infrastructure.\n\nDesignated Approving Authority - OMB Circular A-130 requires that general support systems\nand major applications are authorized for processing before use or when established systems\nundergo significant changes. The Department defines the person responsible for authorization as\na Designated Approving Authority. According to the Department\xe2\x80\x99s IT security policy, the\nDesignated Approving Authority is responsible for ensuring appropriate and adequate levels of\nprotection for all IT systems.\n\nFirewall - A device that protects a private network from the public part. Usually, a computer is\nset up to monitor traffic between an Internet site and the Internet. It\xe2\x80\x99s designed to keep\nunauthorized outsiders from tampering with a computer system therefore increasing security.\n\nGeneral Support Systems - Interconnected systems that share common functionality. Local area\nnetworks and data processing centers that support multiple users are general support systems.\nOMB assumes that all general support systems contain some sensitive information.\n\nHacker - A \xe2\x80\x9chacker\xe2\x80\x9d was originally someone who \xe2\x80\x9chacks\xe2\x80\x9d around with computers and\nelectronics to understand how things work, but over time, this term has been widely accepted as\ndescribing someone who breaks into computer systems. Technically, however, \xe2\x80\x9ccracker\xe2\x80\x9d is a\nmore accurate term for someone who breaks into computer systems with malicious intent.\n\n\n\n\n                                                 24\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\nIncident Response Capability - NIST refers to this as a Computer Security Incident Response\nCapability and defines it to be a skilled and rapid response capability to computer viruses,\nmalicious user activity, and vulnerabilities associated with high technology before they can cause\nsignificant damage. Various other terminology is associated with this capability, including\nComputer Incident Response Team, Computer Emergency Response Team, and Computer\nIncident Response Capability.\n\nIssue-Specific Policy - This level supports program-level policy and is used to address specific\nissues or topics of concern, such as e-mail security. Section 6.1, \xe2\x80\x9cMalicious Software,\xe2\x80\x9d in the\nDepartment\xe2\x80\x99s IT Security Manual is an example of issue-specific policy.\n\nIT Security Incidents - A compromise of integrity, such as when a virus infects a computer\nprogram or a serious system vulnerability is discovered; denial of service, such as when an\nattacker has disabled a system or a network worm has saturated network bandwidth; misuse, such\nas when an intruder (or insider) makes unauthorized use of an account; damage, such as when a\nvirus destroys data; and intrusions, such as when an intruder penetrates system security. This\nphrase is used in this report when referring to Incident Response Capability, defined above.\n\nIT Security Plan - A plan that provides an overview of security requirements of a system and\ndescribes the controls in place or planned for meeting those requirements.\n\nMajor Application - \xe2\x80\x9cApplication\xe2\x80\x9d refers to the use of information resources (information and\ninformation technology) to satisfy a specific set of user requirements. An application could be a\npayroll system that is supported by a network (general support system) to allow remote entry. A\nmajor application is one that requires special attention to security due to the risk and magnitude\nof harm resulting from the loss, misuse, or unauthorized access to or modification of the\ninformation in it.\n\nManagement Controls - Policy, program-, and system-level management, risk management, and\nassurance (including accreditation).\n\nOperational Controls - Personnel/user controls; preparation for contingencies and disasters;\nhandling security incidents; awareness, training, and education; systems support; and physical\nand environmental security.\n\nProgram-Level Policy - High-level policy used to create an organization\xe2\x80\x99s computer security\nprogram. The Department\xe2\x80\x99s Information Technology Management Handbook, Chapter 10,\n\xe2\x80\x9cInformation Technology Security,\xe2\x80\x9d is an example of program-level policy.\n\n\n\n\n                                                25\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-13573\n\nOffice of Inspector General                                                               March 2001\n\n\n\nRisk Assessment - The process of analyzing and interpreting risk. Assessing the risk of an asset\nincludes considering vulnerabilities, threats, and safeguards.\n\nRules of Behavior - Requirements for use of, security in, and the acceptable level of risk for a\nsystem. They delineate responsibilities for those with access to the system and specify limits on\ninterconnections to other systems, service provisions, and restoration priorities. They also\nspecify consequences of behavior not consistent with security policy. Rules of behavior are\nincluded in IT security plans.\n\nSensitive Information - Information, the loss, misuse, or unauthorized access to or modification\nof which could adversely affect the national interest or the conduct of federal programs, but that\nhas not been specifically designated with the generally more stringent \xe2\x80\x9cclassified information\xe2\x80\x9d\nstatus. All general support systems are assumed to contain sensitive information.\n\nSystem-Specific Policy - Written by operating units for single systems, system-specific policy is\noften implemented through the use of access controls and supports program-level and issue-\nspecific policy.\n\nTechnical Controls - Features that are part of, or can be used by, systems to improve security.\nThey include procedures for identifying and authenticating system users, restricting access to\nspecified information, establishing audit trails and logs, and using cryptography (the process of\nmathematically scrambling understandable information, rendering it unintelligible, and\nsubsequently restoring it to an intelligible form).\n\nVerification Reviews - System-level reviews to ensure that appropriate protection is being\nprovided based on a system\xe2\x80\x99s unique requirements. The requirements should be documented in\nthe system\xe2\x80\x99s IT security plan.\n\nVulnerability Analysis/Assessment - A component of risk assessment. When assessing risk to\nan asset, vulnerability must be considered along with threats and safeguards.\n\n\n\n\n                                                26\n\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'